<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Monaco;
panose-1:2 0 5 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Ohhh, I’m extremely sorry. There was a bug in my test harness that was causing the id token to leak between requests. Looking at the actual messages exchanged I can confirm that the server
only sent the access token. I apologize.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Luiz<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:black">From: </span>
</b><span style="font-family:Calibri;color:black">Justin Richer <jricher@mit.edu><br>
<b>Date: </b>Monday, July 10, 2017 at 9:46 AM<br>
<b>To: </b>Luiz Omori <luiz.omori@duke.edu><br>
<b>Cc: </b>"mitreid-connect@mit.edu" <mitreid-connect@mit.edu><br>
<b>Subject: </b>Re: [mitreid-connect] Client credentials security issue?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Can you send me, off list, transcripts of the http transactions? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="composer_signature">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#575757">--Justin<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#575757"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#575757"> <i>Sent from my phone</i><o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:black">-------- Original message --------<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">From: Luiz Omori <luiz.omori@duke.edu>
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Date: 7/10/17 9:08 AM (GMT-05:00) <o:p>
</o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">To: Justin Richer <jricher@mit.edu>
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Cc: mitreid-connect@mit.edu <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Subject: Re: [mitreid-connect] Client credentials security issue?
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:Calibri">I can reproduce this behaviour with
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__mitreid.org&d=DwMGaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=-mMH3LV8D6reZOq3duNPrropZtYA_7G3p6-ypBmImcw&s=IoxTCR7dCp6b5LSsF_rhB9lqPI4srkM-DXhRemGKzGk&e=">
https://mitreid.org</a>.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:Calibri"> </span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-size:11.0pt;font-family:Calibri">1.</span><span style="font-size:7.0pt">
</span><span style="font-size:11.0pt;font-family:Calibri">Perform Authorization Code flow to successfully acquire an access token. Not sure if it matters, but I’ve created my own client, Duke.</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-size:11.0pt;font-family:Calibri">2.</span><span style="font-size:7.0pt">
</span><span style="font-size:11.0pt;font-family:Calibri">Perform client credentials using the same client above. Server responded with an ID Token. My request didn’t contain any scopes.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:Calibri"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:Calibri">Yes, I had seen the exact line of code you are talking about. It could be a problem in my environment, but I didn’t see it being
hit for the client credentials flow when I was debugging my local instance.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:Calibri"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:Calibri">Regards,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:Calibri">Luiz</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:Calibri"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-family:Calibri;color:black">From:
</span></b><span style="font-family:Calibri;color:black">Justin Richer <jricher@mit.edu><br>
<b>Date: </b>Friday, July 7, 2017 at 5:36 PM<br>
<b>To: </b>Luiz Omori <luiz.omori@duke.edu><br>
<b>Cc: </b>"mitreid-connect@mit.edu" <mitreid-connect@mit.edu><br>
<b>Subject: </b>Re: [mitreid-connect] Client credentials security issue?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I just tried this on the <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__mitreid.org&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=uke5BTnN2wjpd6gKBTPKqgofFvPI-7IDTsHjji5CIYU&s=z5nd_a4EUNIWWgh52HcYNXOPaygCp3jwzRmSu3Qi-YE&e=">mitreid.org</a> test
server and I couldn’t replicate it. Then I checked the code and what you’re describing is prevented by this line in <span style="font-size:8.5pt;font-family:Monaco">ConnectTokenEnhancer</span>:<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:8.5pt;font-family:Monaco;color:#931A68">if</span><span style="font-size:8.5pt;font-family:Monaco"> (<span style="color:#7E504F">originalAuthRequest</span>.getScope().contains(SystemScopeService.<span style="color:#0326CC">OPENID_SCOPE</span>)</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:8.5pt;font-family:Monaco">&& !<span style="color:#7E504F">authentication</span>.isClientOnly()) {</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">If you do get an ID token at all through some fluke, it should refer to the client that authenticated, as that’s the authenticated “user” in that scenario. Same deal with token
introspection of access tokens. <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> — Justin<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Jul 7, 2017, at 4:26 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu">luiz.omori@duke.edu</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:11.0pt;font-family:Calibri">Hi,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:11.0pt;font-family:Calibri"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:11.0pt;font-family:Calibri">I’ve just run by chance into a suspicious behaviour while exercising the Client Credentials flow. Along with the request I’ve sent scope=openid offline_access. Interesting enough, I got an id_token back. That
id-token was referring to a user that I used for an Authorization Code request done immediately before the Client Credentials call. My usage of scope for the Client Credentials may or may not be legal, but in any case I don’t think the server should be sending
an ID Token back for Client Credentials. I’m using server version 1.3.1.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:11.0pt;font-family:Calibri"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:11.0pt;font-family:Calibri">Regards,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:11.0pt;font-family:Calibri">Luiz</span><o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:Helvetica;background:white">_______________________________________________</span><span style="font-size:9.0pt;font-family:Helvetica"><br>
<span style="background:white">mitreid-connect mailing list</span><br>
</span><a href="mailto:mitreid-connect@mit.edu"><span style="font-size:9.0pt;font-family:Helvetica;color:#954F72;background:white">mitreid-connect@mit.edu</span></a><span style="font-size:9.0pt;font-family:Helvetica"><br>
</span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_mitreid-2Dconnect&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=uke5BTnN2wjpd6gKBTPKqgofFvPI-7IDTsHjji5CIYU&s=FzfiqkrzHX9g0M1w3fRW7R60mCOgNwyH6aU6jUGKmoQ&e="><span style="font-size:9.0pt;font-family:Helvetica;color:#954F72;background:white">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</span></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>